Commit 79373ca3bd for openssl.org

commit 79373ca3bd4c26e9a4896e4c198828909cc6deec
Author: slontis <shane.lontis@oracle.com>
Date:   Mon Jun 29 09:50:07 2026 +1000

    FIPS: EC keygen - remove unnecessary self tests.

    In FIPS mode EC keygen was doing 3 self tests.
    ec_generate_key() was calling both ecdsa_keygen_pairwise_test() and
    ecdsa_keygen_knownanswer_test(). The KAT did a key recomputation and
    comparison with the generated key, as per Sp80056Ar3 section 5.6.2.1.4.
    These tests covered both Keygen PCT for Key Agreement and Signatures.
    ossl_ec_key_pairwise_check() was also being called from within ec_gen().
    The advice from Atsec (lab) is that the sign/verify test within
    ecdsa_keygen_pairwise_test() is sufficient according to the updated
    rules in FIPS 140-3 IG 10.3.A Additional comment 1, Since the usage of
    the generated key is unknown at the time of key generation.

    Detected during testing of Jipher by Roshith Alankandy (Oracle).

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    MergeDate: Mon Jul 13 14:47:00 2026
    (Merged from https://github.com/openssl/openssl/pull/31761)

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index f5175653fa..44791a2c3e 100644
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -213,56 +213,6 @@ int ossl_ec_key_gen(EC_KEY *eckey)
     return ret;
 }

-/*
- * Refer: FIPS 140-3 IG 10.3.A Additional Comment 1
- * Perform a KAT by duplicating the public key generation.
- *
- * NOTE: This issue requires a background understanding, provided in a separate
- * document; the current IG 10.3.A AC1 is insufficient regarding the PCT for
- * the key agreement scenario.
- *
- * Currently IG 10.3.A requires PCT in the mode of use prior to use of the
- * key pair, citing the PCT defined in the associated standard. For key
- * agreement, the only PCT defined in SP 800-56A is that of Section 5.6.2.4:
- * the comparison of the original public key to a newly calculated public key.
- */
-static int ecdsa_keygen_knownanswer_test(EC_KEY *eckey, BN_CTX *ctx,
-    OSSL_CALLBACK *cb, void *cbarg)
-{
-    int len, ret = 0;
-    OSSL_SELF_TEST *st = NULL;
-    unsigned char bytes[512] = { 0 };
-    EC_POINT *pub_key2 = NULL;
-
-    st = OSSL_SELF_TEST_new(cb, cbarg);
-    if (st == NULL)
-        return 0;
-
-    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT_KAT,
-        OSSL_SELF_TEST_DESC_PCT_ECDSA);
-
-    if ((pub_key2 = EC_POINT_new(eckey->group)) == NULL)
-        goto err;
-
-    /* pub_key = priv_key * G (where G is a point on the curve) */
-    if (!EC_POINT_mul(eckey->group, pub_key2, eckey->priv_key, NULL, NULL, ctx))
-        goto err;
-
-    if (BN_num_bytes(pub_key2->X) > (int)sizeof(bytes))
-        goto err;
-    len = BN_bn2bin(pub_key2->X, bytes);
-    if (OSSL_SELF_TEST_oncorrupt_byte(st, bytes)
-        && BN_bin2bn(bytes, len, pub_key2->X) == NULL)
-        goto err;
-    ret = !EC_POINT_cmp(eckey->group, eckey->pub_key, pub_key2, ctx);
-
-err:
-    OSSL_SELF_TEST_onend(st, ret);
-    OSSL_SELF_TEST_free(st);
-    EC_POINT_free(pub_key2);
-    return ret;
-}
-
 /*
  * ECC Key generation.
  * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates"
@@ -359,8 +309,7 @@ static int ec_generate_key(EC_KEY *eckey, int pairwise_test)
         void *cbarg = NULL;

         OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg);
-        ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg)
-            && ecdsa_keygen_knownanswer_test(eckey, ctx, cb, cbarg);
+        ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg);
     }
 err:
     /* Step (9): If there is an error return an invalid keypair. */
diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 57ff812793..28404502eb 100644
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -1325,18 +1325,6 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)

     if (gctx->group_check != NULL)
         ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check);
-#ifdef FIPS_MODULE
-    if (ret > 0
-        && !ossl_fips_self_testing()
-        && EC_KEY_get0_public_key(ec) != NULL
-        && EC_KEY_get0_private_key(ec) != NULL
-        && EC_KEY_get0_group(ec) != NULL) {
-        BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
-
-        ret = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
-        BN_CTX_free(bnctx);
-    }
-#endif /* FIPS_MODULE */

     if (ret > 0)
         return ec;
diff --git a/test/pairwise_fail_test.c b/test/pairwise_fail_test.c
index 3173225a0c..3446d23166 100644
--- a/test/pairwise_fail_test.c
+++ b/test/pairwise_fail_test.c
@@ -99,8 +99,6 @@ static int test_keygen_pairwise_failure(void)
         if (!TEST_ptr_null(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "RSA", (size_t)2048)))
             goto err;
     } else if (strncmp(pairwise_name, "ec", 2) == 0) {
-        if (strcmp(pairwise_name, "eckat") == 0)
-            type = OSSL_SELF_TEST_TYPE_PCT_KAT;
         if (!TEST_true(setup_selftest_pairwise_failure(type)))
             goto err;
         if (!TEST_ptr_null(pkey = EVP_PKEY_Q_keygen(libctx, NULL, "EC", "P-256")))
diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t
index eaf0dbbb42..ca2d1f96e4 100644
--- a/test/recipes/30-test_pairwise_fail.t
+++ b/test/recipes/30-test_pairwise_fail.t
@@ -22,7 +22,7 @@ use lib bldtop_dir('.');
 plan skip_all => "These tests are unsupported in a non fips build"
     if disabled("fips");

-plan tests => 9;
+plan tests => 8;
 my $provconf = srctop_file("test", "fips-and-base.cnf");

 run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]),
@@ -37,17 +37,11 @@ SKIP: {
 }

 SKIP: {
-    skip "Skip EC test because of no ec in this build", 2
+    skip "Skip EC test because of no ec in this build", 1
         if disabled("ec");
     ok(run(test(["pairwise_fail_test", "-config", $provconf,
                  "-pairwise", "ec"])),
        "fips provider ec keygen pairwise failure test");
-
-    skip "FIPS provider version is too old", 1
-        if !$fips_exit;
-    ok(run(test(["pairwise_fail_test", "-config", $provconf,
-                 "-pairwise", "eckat"])),
-       "fips provider ec keygen kat failure test");
 }

 SKIP: {